docs: rewrite features.md, audit README + architecture against repo

Rewrote docs/features.md from scratch as authoritative feature inventory (1255 lines, every claim verified against source files). Audited README.md and architecture.md against repo — fixed 19 stale references: K8s Secrets status, issuer counts, dashboard page counts, CI thresholds, missing connectors in Mermaid diagrams, OpenAPI operation count, GetCACertPEM behavior, and V2/V4 roadmap accuracy. Also includes related fixes discovered during audit: - Scheduler skips expired/failed/revoked certs from auto-renewal - Seed demo expiry dates moved outside 31-day scheduler query window - Agent pages use correct last_heartbeat_at field name Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-14 22:28:52 +00:00 · 2026-04-15 00:22:57 -04:00
parent cabe8d33eb
commit 28d8771d8c
9 changed files with 1165 additions and 1314 deletions
@@ -136,8 +136,17 @@ func (s *RenewalService) CheckExpiringCertificates(ctx context.Context) error {
 	policyCache := make(map[string]*domain.RenewalPolicy)

 	for _, cert := range expiring {
-		// Skip if already renewing or archived
-		if cert.Status == domain.CertificateStatusRenewalInProgress || cert.Status == domain.CertificateStatusArchived {
+		// Skip certs in terminal or non-renewable states:
+		// - RenewalInProgress: already being renewed
+		// - Archived: no longer managed
+		// - Revoked: intentionally revoked, should not be auto-renewed
+		// - Failed: requires manual intervention (the failure cause hasn't been resolved)
+		// - Expired: requires manual review (why did it expire without renewal?)
+		if cert.Status == domain.CertificateStatusRenewalInProgress ||
+			cert.Status == domain.CertificateStatusArchived ||
+			cert.Status == domain.CertificateStatusRevoked ||
+			cert.Status == domain.CertificateStatusFailed ||
+			cert.Status == domain.CertificateStatusExpired {
 			continue
 		}